Initially, this might look like a simple control, but there’s actually a lot to it and it’s very important. It’s also a control which shows how important it is NOT to look at controls in isolation.
What does the standard require?
The standard states that “Personnel and other interested parties as appropriate shall return all the organisations assets in their possession upon change or termination of their employment, contract or agreement.” (A5.11 Return of assets)
Why is this required?
When someone leaves your organisation or changes a role, you must ensure that they return any items they were provided with to carry out their role. This can include their mobile phone, keys, laptops software, and other assets.
From a financial perspective, of course, because you want to ensure you get those tangible assets back (like mobile phones). But it’s also important because you need to ensure you have any company or client confidential materials returned. If you didn’t have this control in place, you could potentially be looking at a data breach in the future, or a breach of confidence (for example if client details are released)..
Therefore, this control is important because it ensures you have control of informational assets from start (when you allocate assets) to the end (when someone leaves or changes roles).
Also note that this is not just about your own personnel. It’s about service providers and contractors also.
What the auditor is looking for
You are not required to have a policy, or even a written process, but you should be able to demonstrate to the auditor that a process is followed.
For example, you might have an exit process which is followed by the HR function. This process could be a simple checklist of actions carried out when someone leaves and includes the return of company assets. This might be the same for a contract coming to an end (for a contractor), or discussed within the service management agreement with vendors.
The auditor will want to review your inventory of assets, which you created when complying with A5.9 (Inventory of information and other associated assets). As stated above, this is where you start to see how controls begin to overlap and become increasingly important (which makes them harder to place ‘out of scope’).
You should also show the auditor your contracts or contract templates for suppliers to demonstrate you require the return of any data or other assets once the contract ends.
Remember that his control isn’t about documenting a policy, or even a process. But you should have a process which is repeatable. As your business grows, you might decide to document how you manage the return of assets, but showing you do (in practice) is more important than showing a theoretical process ‘flow’.
Q & A
How do we deal with the use of personal devices?
While the focus is of course on the return of company assets, you should consider how personal devices are used and ensure that any data stored on these is destroyed. This might be something you do during the exit interview. If the person isn’t present when this happens, then you should ask them to confirm that any company data has been destroyed. It would be prudent to also remind them of their obligations towards information security and data protection.
Is it possible to get this wrong?
The only way you can get this wrong is if you don’t have a process at all, or you don’t have an asset register. Again, you do not need a policy or even a written process on how you handle the return of assets. You simply need to demonstrate that you have a process which is followed consistently.
Difficulty rating
We rate this a 1 out of 5 difficulty rating. This means that it requires a little if any technical skill to understand the requirement. This control simply needs a checklist that you follow when someone leaves or changes roles, to ensure you collect assets from them.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused by how to implement an RBAC process or identify the key roles in your organisation, just get in touch and our ISO 27001 consultants will be happy to help.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001” which is available on Amazon.
Commenti